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Abstract. We describe an approach to the verihed implementation of 
transformations on functional programs that exploits the higher-order 
representation of syntax. In this approach, transformations are specified 
using the logic of hereditary Harrop formulas. On the one hand, these 
specifications serve directly as implementations, being programs in the 
language AProlog. On the other hand, they can be used as input to the 
Abella system which allows us to prove properties about them and thereby 
about the implementations. We argue that this approach is especially 
effective in realizing transformations that analyze binding structure. We 
do this by describing concise encodings in AProlog for transformations 
like typed closure conversion and code hoisting that are sensitive to such 
structure and by showing how to prove their correctness using Abella. 


1 Introduction 

This paper concerns the verification of compilers for functional (programming) 
languages. The interest in this topic is easily explained. Functional languages 
support an abstract view of computation that makes it easier to construct 
programs and the resulting code also has a flexible structure. Moreover, these 
languages have a strong mathematical basis that simplifies the process of proving 
programs to be correct. However, there is a proviso to this observation: to derive 
the mentioned benefit, the reasoning must be done relative to the abstract model 
underlying the language, whereas programs are typically executed only in their 
compiled form. To close the gap, it is important also to ensure that the compiler 
that carries out the translation preserves the meanings of programs. 

The key role that compiler verification plays in overall program correctness 
has been long recognized; e.g. see [22127) for early work on this topic. With the 
availability of sophisticated systems such as Coq [5], Isabelle |33j and HOL m 
for mechanizing reasoning, impressive strides have been taken in recent years 
towards actually verifying compilers for real languages, as seen, for instance, 
in the CompCert project j2T]. Much of this work has focused on compiling im¬ 
perative languages like C. Features such as higher-order and nested functions 
that are present in functional languages bring an additional complexity to their 
implementation. A common approach to treating such features is to apply trans¬ 
formations to programs that render them into a form to which more traditional 
compilation methods can be applied. These transformations must manipulate 
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binding structure in complex ways, an aspect that requires special consideration 
at both the implementation and the verification level [3] . 

Applications such as those above have motivated research towards develop¬ 
ing good methods for representing and manipulating binding structure. Two 
particular approaches that have emerged from this work are those that use the 
nameless representation of bound variables due to De Bruijn and the nominal 
logic framework of Pitts [3S] . These approaches provide an elegant treatment of 
aspects such as a-convertibility but do not directly support the analysis of binding 
structure or the realization of binding-sensitive operations such as substitution. 
A third approach, commonly known as the higher-order abstraet syntax or HOAS 
approach, uses the abstraction operator in a typed A-calculus to represent binding 
structure in object-language syntax. When such representations are embedded 
within a suitable logic, they lead to a succinct and flexible treatment of many 
binding related operations through /3-conversion and unification. 

The main thesis of this paper, shared with other work such as [16] and m , is 
that the HOAS approach is in fact well-adapted to the task of implementing and 
verifying compiler transformations on functional languages. Our specific objective 
is to demonstrate the usefulness of a particular framework in this task. This 
framework comprises two parts: the AProlog language |30| that is implemented, 
for example, in the Teyjus system [33], and the Abella proof assistant [3]. The 
AProlog language is a realization of the hereditary Harrop formulas or HOHH 
logic [ 33 . We show that this logic, which uses the simply typed A-calculus as a 
means for representing objects, is a suitable vehicle for specifying transformations 
on functional programs. Moreover, HOHH specifications have a computational 
interpretation that makes them implementations of compiler transformations. 
The Abella system is also based on a logic that supports the HOAS approach. 
This logic, which is called Q, incorporates a treatment of fixed-point definitions 
that can also be interpreted inductively or co-inductively. The Abella system 
uses these dehnitions to embed HOHH within Q and thereby to reason directly 
about the specifications written in HOHH. As we show in this paper, this yields 
a convenient means for verifying implementations of compiler transformations. 

An important property of the framework that we consider, as also of systems 
like LF [17] and Beluga [34], is that it uses a weak A-calculus for representing 
objects. There have been attempts to derive similar benefits from using functional 
languages or the language underlying systems such as Coq. Some benefits, such 
as the correct implementation of substitution, can be obtained even in these 
contexts. However, the equality relation embodied in these systems is very strong 
and the analysis of A-terms in them is therefore not limited to examining just their 
syntactic structure. This is a significant drawback, given that such examination 
plays a key role in the benefits we describe in this paper. In light of this distinction, 
we shall use the term X-tree syntax [33] for the more restricted version of HOAS 
whose use is the focus of our discussions. 

The rest of this paper is organized as follows. In Section]^ we introduce the 
reader to the framework mentioned above. We then show in succeeding sections 
how this framework can be used to implement and to verify transformations on 
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functional programs. We conclude the paper by discussing the relationship of the 
ideas we describe here to other existing workQ 

2 The Framework 

We describe, in turn, the specification logic and AProlog, the reasoning logic, and 
the manner in which the Abella system embeds the specification logic. 

2.1 The specification logic and AProlog 

The HOHH logic is an intuitionistic and predicative fragment of Church’s Simple 
Theory of Types |12j . Its types are formed using the function type constructor 
—over user defined primitive types and the distinguished type o for formulas. 
Expressions are formed from a user-defined signature of typed constants whose 
argument types do not contain o and the logical constants ^ and & of type 
o — ^ o —7 ^ o and Ur of type (r — ^ o) — ^ o for each type r not containing 
o. We write ^ and &, which denote implication and conjunction respectively, 
in infix form. Further, we write X{x : t)M, which represents the universal 
quantification of x over M, as UtX M. 

The logic is oriented around two sets of formulas called goal formulas and 
program clauses that are given by the following syntax rules: 

G ::= A\GkG\D^G\nrxG 

D ::= A\G^A\nrxD 

Here, A represents atomic formulas that have the form (pH ... H) where p 
is a (user defined) predicate constant, i.e. a constant with target type o. Goal 
formulas of the last two kinds are referred to as hypothetical and universal goals. 
Using the notation U^x to denote a sequence of quantifications, we see that a 
program clause has the form U^x A or IlfX G => A. We refer to A as the head 
of such a clause and G as the body; in the first case the body is empty. 

A collection of program clauses constitutes a program. A program and a 
signature represent a specification of all the goal formulas that can be derived 
from them. The derivability of a goal formula G is expressed formally by the 
judgment A; G; U h G in which A is a signature, 0 is a collection of program 
clauses defined by the user and U is a collection of dynamically added program 
clauses. The validity of such a judgment—also called a sequent—is determined 
by provability in intuitionistic logic but can equivalently be characterized in a 
goal-directed fashion as follows. If G is conjunctive, it yields sequents for “solving” 
each of its conjuncts in the obvious way. If it is a hypothetical or a universal 
goal, then one of the following rules is used: 

E-0-r,D^G ^ (c ^ E) r, c : t; 6>; r h G[c/®] 

E-,o-,r'r D ^ G E-,&-r\-n.rxG 

In the iTR rule, c must be a constant not already in S; thus, these rules 
respectively cause the program and the signature to grow while searching for 

^ The actual development of several of the proofs discussed in this paper can be found 
at the URL http://www-users.cs.uinn.edu/~gopalan/papers/compilation/ 
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a derivation. Once G has been simplified to an atomic formula, the sequent is 
derived by generating an instance of a clause from 0 or F whose head is identical 
to G and by constructing a derivation of the corresponding body of the clause if 
it is non-empty. This operation is referred to as backchaining on a clause. 

In presenting HOHH specifications in this paper we will show programs as a 
sequence of clauses each terminated by a period. We will leave the outermost 
universal quantification in these clauses implicit, indicating the variables they 
bind by using tokens that begin with uppercase letters. We will write program 
clauses of the form G ^ A as A : - G. We will show goals of the form Gi A G 2 
and TTt-j/ G as Gi , G 2 and pi y : t\ G, respectively, dropping the type annotation 
in the latter if it can be filled in uniquely based on the context. Finally, we will 
write abstractions as y\M instead of XyM. 

Program clauses provide a natural means for encoding rule based specifications. 
Each rule translates into a clause whose head corresponds to the conclusion and 
whose body represents the premises of the rule. These clauses embody additional 
mechanisms that simplify the treatment of binding structure in object languages. 
They provide A-terms as a means for representing objects, thereby allowing 
binding to be reflected into an explicit meta-language abstraction. Moreover, 
recursion over such structure, that is typically treated via side conditions on rules 
expressing requirements such as freshness for variables, can be captured precisely 
through universal and hypothetical goals. This kind of encoding is concise and 
has logical properties that we can use in reasoning. 

We illustrate the above ideas by considering the specihcation of the typing 
relation for the simply typed A-calculus (STLC). Let N be the only atomic type. 
We use the HOHH type ty for representations of object language types that we 
build using the constants n : ty and arr : ty —>■ ty —>■ ty. Similarly, we use 
the HOHH type tm for encodings of object language terms that we build using 
the constants app : tm —>■ tm —>■ tm and abs : ty —>■ (tm —)■ tm) —>■ tm. 
The type of the latter constructor follows our chosen approach to encoding binding; 
for example, we represent the STLC expression (A(y : N ^ N) X{x : N) {y x)) 
by the HOHH term (abs (arr n n) (y\ (abs n (x\ (app y x) )))). Typing 
for the STLC is a judgment written ss F \- T ■. Ty that expresses a relationship 
between a context F that assigns types to variables, a term T and a type Ty. 
Such judgments are derived using the following rules: 

C h Ti : Tj/i ^ rj/2 r h T2 : Tyi r,y ■. T ■. Ty^ 

r^FT2-.Ty, r h X{y : Ty,) T : {Ty, ^ Ty^) 

The second rule has a proviso: y must be fresh to F. In the A-tree syntax 
approach, we encode typing as a binary relation between a term and a type, 
treating the typing context implicitly via dynamically added clauses. Using the 
predicate of to represent this relation, we define it through the following clauses: 
of (app T1 T2) Ty2 : - of T1 (arr Tyl Ty2), of T2 Tyl. 

of (abs Tyl T) (arr Tyl Ty2) : - pi y\ (of y Tyl => of (T y) Ty2) . 

The second clause effectively says that (abs Tyl T) has the type (arr Tyl Ty2) 

if (T y) has type Ty2 in an extended context that assigns y the type Tyl. Note 

that the universal goal ensures that y is new and, given our encoding of terms. 
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(T y) represents the body of the object language abstraction in which the bound 
variable has been replaced by this new name. 

The rules for deriving goal formulas give HOHH specifications a computa¬ 
tional interpretation. We may also leave particular parts of a goal unspecified, 
representing them by “meta-variables,” with the intention that values be found 
for them that make the overall goal derivable. This idea underlies the language 
AProlog that is implemented, for example, in the Teyjus system [36]. 

2.2 The reasoning logic and Abella 

The inference rules that describe a relation are usually meant to be understood 
in an “if and only if” manner. Only the “if” interpretation is relevant to using 
rules to effect computations and their encoding in the HOHH logic captures this 
part adequately. To reason about the properties of the resulting computations, 
however, we must formalize the “only if” interpretation as well. This functionality 
is realized by the logic Q that is implemented in the Abella system. 

The logic Q is also based on an intuitionistic and predicative version of 
Church’s Simple Theory of Types. Its types are like those in HOHH except 
that the type prop replaces o. Terms are formed from user-defined constants 
whose argument types do not include prop and the following logical constants: 
true and false of type prop; A, V and —)■ of type prop —prop ^ prop 
for conjunction, disjunction and implication; and, for every type r not containing 
prop, the quantifiers Vt- and 3,-of type (r —)• prop) — >• prop and the equality 
symbol =t of type t ^ t ^ prop. The formula B =r B' holds if and only if 
B and B' are of type r and equal under aPp conversion. We will omit the type 
T in logical constants when its identity is clear from the context. 

A novelty of Q is that it is parameterized by fixed-point definitions. Such 
definitions consist of a collection of definitional clauses each of which has the 
form Vi, A = B where A is an atomic formula all of whose free variables are 
bound by x and H is a formula whose free variables must occur in A; A is called 
the head of such a clause and B is called its bodyQTo illustrate definitions, let 
olist represent the type of lists of HOHH formulas and let nil and : :, written 
in infix form, be constants for building such lists. Then the append relation at 
the olist type is defined in Q by the following clauses: 
append nil L L; 

append (X :: LI) L2 (X :: L3) = append LI L2 L3. 

This presentation also illustrates several conventions used in writing definitions: 
clauses of the form Vs, A = true are abbreviated to Vs, A, the outermost universal 
quantifiers in a clause are made implicit by representing the variables they bind 
by tokens that start with an uppercase letter, and a sequence of clauses is written 
using semicolon as a separator and period as a terminator. 

The proof system underlying Q interprets atomic formulas via the fixed-point 
definitions. Concretely, this means that definitional clauses can be used in two 

^ To be acceptable, definitions must cumulatively satisfy certain stratification condi¬ 
tions [ 23 ] that we adhere to in the paper but do not explicitly discnss. 
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ways. First, they may be used in a backchaining mode to derive atomic formulas; 
the formula is matched with the head of a clause and the task is reduced to 
deriving the corresponding body. Second, they can also be used to do case analysis 
on an assumption. Here the reasoning structure is that if an atomic formula 
holds, then it must be because the body of one of the clauses defining it holds. It 
therefore suffices to show that the conclusion follows from each such possibility. 

The clauses defining a particular predicate can further be interpreted induc¬ 
tively or coinductively, leading to corresponding reasoning principles relative to 
that predicate. As an example of how this works, consider proving 

VLl L2 L3, append LI L2 L3 —)■ append LI L2 L3’ —)■ L3 = L3’ 

assuming that we have designated append as an inductive predicate. An induction 
on the first occurrence of append then allows us to assume that the entire formula 
holds any time the leftmost atomic formula is replaced by a formula that is 
obtained by unfolding its definition and that has append as its predicate head. 

Many arguments concerning binding require the capability of reasoning over 
structures with free variables where each such variable is treated as being distinct 
and not further analyzable. To provide this capability, Q includes the special 
generic quantifier Vt, pronounced as “nabla”, for each type r not containing 
prop [26]. In writing this quantifier, we, once again, elide the type r. The 
rules for treating V in an assumed formula and a formula in the conclusion are 
similar: a “goal” with (Vx M) in it reduces to one in which this formula has been 
replaced by M [c/x] where c is a fresh, unanalyzable constant called a nominal 
constant Note that V has a meaning that is different from that of V: for example, 
(V X y, X = y —> false) is provable but (V x y, x = y —> false) is not. 

Q allows the V quantifier to be used also in the heads of definitions. The full 
form for a definitional clause is in fact Va:Vz,A A B, where the V quantifiers 
scope only over A. In generating an instance of such a clause, the variables in z 
must be replaced with nominal constants. The quantification order then means 
that the instantiations of the variables in x cannot contain the constants used 
for z. This extension makes it possible to encode structural properties of terms 
in definitions. For example, the clause (V x, name x) defines name to be a 
recognizer of nominal constants. Similarly, the clause (V x, fresh x B) defines 
fresh such that (fresh X B) holds just in the case that X is a nominal constant 
and B is a term that does not contain X. As a final example, consider the following 
clauses in which of is the typing predicate from the previous subsection. 

ctx nil; 

Vx, ctx (of X T : : L) A ctx L. 

These clauses define ctx such that (ctx L) holds exactly when L is a list of type 
assignments to distinct variables. 

2.3 The two-level logic approach 

Our framework allows us to write specifications in HOHH and reason about 
them using Q . Abella supports this two-level logic approach by encoding HOHH 
derivability in a definition and providing a convenient interface to it. The user 
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program and signature for these derivations are obtained from a AProlog program 
file. The state in a derivation is represented by a judgment of the form {T h G} 
where F is the list of dynamically added clauses; additions to the signature 
are treated implicitly via nominal constants. If F is empty, the judgment is 
abbreviated to {G}. The theorems that are to be proved mix such judgments 
with other ones defined directly in Abella. For example, the uniqueness of typing 
for the STLC based on its encoding in HOHH can be stated as follows: 

VL M T T’ , ctx L {L I- of M T} ^ {L I- of M T’> T = T’ . 

This formula talks about the typing of open terms relative to a dynamic collection 
of clauses that assign unique types to (potentially) free variables. 

The ability to mix specifications in HOHH and definitions in Abella provides 
considerable expressivity to the reasoning process. This expressivity is further 
enhanced by the fact that both HOHH and Q support the A-tree syntax approach. 
We illustrate these observations by considering the explicit treatment of sub¬ 
stitutions. We use the type map and the constant map: tm —>■ tm —)■ map to 
represent mappings for individual variables (encoded as nominal constants) and 
a list of such mappings to represent a substitution; for simplicity, we overload 
the constructors nil and : : at this type. Then the predicate subst such that 
subst ML M M’ holds exactly when M’ is the result of applying the substitution 
ML to M can be defined by the following clauses: 
subst nil M M; 

Vx, subst ((map x V) : : ML) (R x) M A subst ML (R V) M. 

Observe how quantifier ordering is used in this definition to create a “hole” where 
a free variable appears in a term and application is then used to plug the hole 
with the substitution. This definition makes it extremely easy to prove structural 
properties of substitutions. For example, the fact that substitution distributes 
over applications and abstractions can be stated as follows: 

VML Ml M2 M’, subst ML (app Ml M2) M’ 

3M1’ M2’, M’ = app Ml’ M2’ A subst ML Ml Ml’ A subst ML M2 M2’. 

VML R T M’, subst ML (abs T R) M’ -A 

3R’, M’ = abs T R’ A Vx, subst ML (R x) (R’ x) . 

An easy induction over the definition of substitution proves these properties. 

As another example, we may want to characterize relationships between closed 
terms and substitutions. For this, we can first define well-formed terms through 
the following HOHH clauses: 
tm (app M N) :- tm M, tm N. 
tm (abs T R) : - pi x\ tm x => tm (R x) . 

Then we characterize the context used in tm derivations in Abella as follows: 
tm_ctx nil; 

Vx, tm_ctx (tm X : : L) A tm_ctx L. 

Intuitively, if tm_ctx L and {L h tm M} hold, then M is a well-formed term 
whose free variables are given by L. Clearly, if {tm M} holds, then M is closed. 
Now we can state the fact that a closed term is unaffected by a substitution: 

VML M M’ , {tm M} subst ML M M’ M = M’ . 

Again, an easy induction on the definition of substitutions proves this property. 
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3 Implementing Transformations on Functional Programs 

We now turn to the main theme of the paper, that of showing the benehts of 
our framework in the verified implementation of compilation-oriented program 
transformations for functional languages. The case we make has the following 
broad structure. Program transformations are often conveniently described in 
a syntax-directed and rule-based fashion. Such descriptions can be encoded 
naturally using the program clauses of the HOHH logic. In transforming functional 
programs, special attention must be paid to binding structure. The A-tree syntax 
approach, which is supported by the HOHH logic, provides a succinct and logically 
precise means for treating this aspect. The executability of HOHH specifications 
renders them immediately into implementations. Moreover, the logical character 
of the specifications is useful in the process of reasoning about their correctness. 

This section is devoted to substantiating our claim concerning implementation. 
We do this by showing how to specify transformations that are used in the 
compilation of functional languages. An example we consider in detail is that of 
closure conversion. Our interest in this transformation is twofold. First, it is an 
important step in the compilation of functional programs: it is, in fact, an enabler 
for other transformations such as code hoisting. Second, it is a transformation that 
involves a complex manipulation of binding structure. Thus, the consideration of 
this transformation helps shine a light on the special features of our framework. 
The observations we make in the context of closure conversion are actually 
applicable quite generally to the compilation process. We close the section by 
highlighting this fact relative to other transformations that are of interest. 

3.1 The closure conversion transformation 

The closure conversion transformation is designed to replace (possibly nested) 
functions in a program by closures that each consist of a function and an environ¬ 
ment. The function part is obtained from the original function by replacing its 
free variables by projections from a new environment parameter. Complementing 
this, the environment component encodes the construction of a value for the new 
parameter in the enclosing context. For example, when this transformation is 
applied to the following pseudo OCaml code segment 

let X = 2 in let y = 3 in (fun z. z + x + y) 
it will yield 

let X = 2 in let y = 3 in <fun z e. z + e.l + e.2, (x,y)> 

We write <F,E> here to represent a closure whose function part is F and en¬ 
vironment part is E, and e. i to represent the i-th projection applied to an 
“environment parameter” e. This transformation makes the function part inde¬ 
pendent of the context in which it appears, thereby allowing it to be extracted 
out to the top-level of the program. 

The source and target languages. Figures and [^present the syntax of the 
source and target languages that we shall use in this illustration. In these figures, 
T, M and V stand respectively for the categories of types, terms and the terms 
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T N I Ti — >• T2 I unit | Ti X T2 T : 

M n I rc I pred M \ Mi + M2 M 

I if Ml then M2 else M3 
I 0 I {Ml, M2) I fst M I snd M 
I let X — Ml in M2 
I fix fx.M I (Ml M2) 

y n I fix fx.M \ () | (^1,^2) V 


- N I Ti —>■ T2 I Ti ^ T2 I unit | Ti x T2 

- n \ X \ pred M | Mi + M2 
I if Ml then M2 else M3 

I 0 I (Ml, M2) I fst M I snd M 
I let X — Ml in M2 \ Xx.M \ (Mi M2) 

I (Ml, M2) I open {xf, Xe) — Mi in M2 
: n I Xx.M I 0 I iVi,V2) I (V, V2) 


Fig. 1: Source language syntax 


Fig. 2: Target language syntax 


recognized as values. N is the type for natural numbers and n corresponds to 
constants of this type. Our languages include some arithmetic operators, the 
conditional and the tuple constructor and destructors; note that pred represents 
the predecessor function on numbers, the behavior of the conditional is based 
on whether or not the “condition” is zero and fst and snd are the projection 
operators on pairs. The source language includes the recursion operator fix 
which abstracts simultaneously over the function and the parameter; the usual 
abstraction is a degenerate case in which the function parameter does not 
appear in the body. The target language includes the expressions {Mi, M 2 ) and 
(open {xf,Xe) = Ml in M 2 ) representing the formation and application of 
closures. The target language does not have an explicit fixed point constructor. 
Instead, recursion is realized by parameterizing the function part of a closure with 
a function component; this treatment should become clear from the rules for typing 
closures and for evaluating the application of closures that we present below. The 
usual forms of abstraction and application are included in the target language to 
simplify the presentation of the transformation. The usual function type is reserved 
for closures; abstractions are given the type Ti ^ T 2 in the target language. 
We abbreviate (Mi,..., (M„, ())) by (Mi,..., M„) and fst (snd (... (snd M))) 
where snd is applied i — 1 times for i > 1 by TTi{M). 

Typing judgments for both the source and target languages are written as 
r \- M : T, where T is a list of type assignments for variables. The rules for 
deriving typing judgments are routine, with the exception of those for introducing 
and eliminating closures in the target language that are shown below: 


h Ml : ((Ti Ta) x Ti x Te) ^ Ta F h Ma : Te 
r h (Ml, Ma) : Ti —>■ Ta 


cof-clos 


r h Ml : Ti Ta r,Xf : {{Ti ^ T2) x Ti x 1) ^ T2,Xe : I h M2 : T 
r h open {xf,Xe) = Ml in M2 : T 


cof-open 


In cof-clos, the function part of a closure must be typable in an empty context. 
In cof-open, Xf,Xe must be names that are new to F. This rule also uses a “type” 
I whose meaning must be explained. This symbol represents a new type constant, 
different from N and () and any other type constant used in the typing derivation. 
This constraint in effect captures the requirement that the environment of a 
closure should be opaque to its user. 

The operational semantics for both the source and the target language is 
based on a left to right, call-by-value evaluation strategy. We assume that this is 
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{x I—>■ M) G p 


p > Xi 


Ml 


p\> 


■ Mr, 


p > n -w n 


cc-nat 
p > M - 


p\> X ■ 

M' 


■ M 

cc-pred 


p > {X\, . . . , Xn) -^e (Ml, . . . , Mn) 

p > Ml M[ p > M2 M9 


p > pred M pred M' p > Mi + M2 M( + M^ 

p > M M' p > Ml -w M( p > M2 M2 


cc-plus 


p > if M then Mi else M2 if M' then M{ else M2 


p > Ml M( p > M2 M' p > M M' 

- cc-pair ' 

p > (Ml, M2) {M [, M2) p > fst M fst M' 

p > Ml M( p, a: I— >• y > M2 M^ 

p > let X = Ml in M2 let y — in M^ 

p > Ml M( p > M2 M2 


cc-if 


;-fst 


poO-^0 

p> M M' 


p > snd M snd M' 
cc-let y must be fresh 


-snd 


p > Ml M2 let g — M[ in open {x f, x^) — g in Xf {g, , Xe) 

{xi, . . . , Xn) ^ fvars(fix / x.M) p > (xi, . . . , x^i) Me p' > M 


cc-app g must be fresh 
M' 


-fix 


p > fix f X.M (Ap.let g — I (p) in let y — 7^2 (p) in let Xe — in M ', Me) 

where p' — {x y, f 9-,Xx ’Ki^Xe), • ■ • ,Xn (^^e)) s,nd p, g, y, and Xg are fresh variables 


Fig. 3: Closure Conversion Rules 

given in small-step form and, overloading notation again, we write M M' 
to denote that M evaluates to M' in one step in whichever language is under 
consideration. The only evaluation rules that may be non-obvious are the ones 

for applications. For the source language, they are the following: 

Afi ^—>^1 Ml 7tf2 M 2 

Ml M 2 Mi M 2 Vi M 2 Vi M^ (fix fx.M) V M[fix / x.M//, F/x] 

For the target language, they are the following: 

Ml ^i Mi 

open {xf,Xe) = Ml in M 2 '^1 open {xf,Xe) = M[ in M 2 


open {xf,Xe} = {Vf,Ve} in M 2 M 2 [F//x/, K/^e] 

One-step evaluation generalizes in the obvious way to n-step evaluation that we 
denote by M M'. Finally, we write M ^ V to denote the evaluation of M 
to the value V through 0 or more steps. 

The transformation. In the general case, we must transform terms under 
mappings for their free variables: for a function term, this mapping represents the 
replacement of the free variables by projections from the environment variable 
for which a new abstraction will be introduced into the term. Accordingly, we 
specify the transformation as a 3-place relation written as pt>M -w M', where M 
and M' are source and target language terms and p is a mapping from (distinct) 
source language variables to target language terms. We write {p,x >->■ M) to 
denote the extension of p with a mapping for x and (a; 1 —> M) € p to mean that 
p contains a mapping of x to M. Figure [^defines the pt>M M' relation in a 
rule-based fashion; these rules use the auxiliary relation p> (xi,... ,Xn) 
that determines an environment corresponding to a tuple of variables. The cc-let 
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and cc-fix rules have a proviso: the bound variables, x and /, x respectively, 
should have been renamed to avoid clashes with the domain of p. Most of the 
rules have an obvious structure. We comment only on the ones for transforming 
fixed point expressions and applications. The former translates into a closure. 
The function part of the closure is obtained by transforming the body of the 
abstraction, but under a new mapping for its free variables; the expression 
(xi, ... ,Xn) 2 fvars(fix f x.M) means that all the free variables of (fix f x.M) 
appear in the tuple. The environment part of the closure correspondingly contains 
mappings for the variables in the tuple that are determined by the enclosing 
context. Note also that the parameter for the function part of the closure is 
expected to be a triple, the first item of which corresponds to the function being 
defined recursively in the source language expression. The transformation of a 
source language application makes clear how this structure is used to realize 
recursion: the constructed closure application has the effect of feeding the closure 
to its function part as the first component of its argument. 

3.2 A AProlog rendition of closure conversion 

Our presentation of the implementation of closure conversion has two parts: we 
first show how to encode the source and target languages and we then present a 
AProlog specification of the transformation. In the first part, we discuss also the 
formalization of the evaluation and typing relations; these will be used in the 
correctness proofs that we develop later. 

Encoding the languages. We first consider the encoding of types. We will use 
ty as the AProlog type for this encoding for both languages. The constructors 
tnat, tunit and prod will encode, respectively, the natural number, unit and 
pair types. There are two arrow types to be treated. We will represent —> by arr 
and by arr’. The following signature summarizes these decisions. 

tnat,tunit : ty arr,prod,arr’ ; ty —> ty —>■ ty 

We will use the AProlog type tm for encodings of source language terms. The 
particular constructors that we will use for representing the terms themselves are 
the following, assuming that nat is a type for representations of natural numbers: 

nat : nat ^ tm pred,fst,snd : tm —> tm unit : tm 

plus,pair,app : tm —>■ tm —> tm ifz : tm —> tm —> tm —>■ tm 

let : tm —>■ (tm —>■ tm) —>■ tm fix : (tm —>■ tm —>■ tm) —>■ tm 

The only constructors that need further explanation here are let and fix. These 
encode binding constructs in the source language and, as expected, we use AProlog 
abstraction to capture their binding structure. Thus, let x = n'uix is encoded 
as (let (nat n) (x\x)). Similarly, the AProlog term (fix (f\x\ app f x)) 
represents the source language expression (fix f x.f x). 

We will use the AProlog type tm’ for encodings of target language terms. To 
represent the constructs the target language shares with the source language, we 
will use “primed” versions of the AProlog constants seen earlier; e.g., unit’ of 
type tm’ will represent the null tuple. Of course, there will be no constructor 
corresponding to fix. We will also need the following additional constructors: 
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abs’ : (tm’ —> tm’) —>■ tm’ clos’ : tm’ —> tm’ —>■ tm’ 
open’ : tm’ —(tm’ —tm’ —> tm’) —>■ tm’ 


Here, abs’ encodes A-abstraction and clos’ and open’ encode closures and their 
application. Note again the A-tree syntax representation for binding constructs. 

Following Sectionj^ we represent typing judgments as relations between terms 
and types, treating contexts implicitly via dynamically added clauses that assign 
types to free variables. We use the predicates of and of ’ to encode typing in the 
source and target language respectively. The clauses defining these predicates 
are routine and we show only a few pertaining to the binding constructs. The 
rule for typing fixed points in the source language translates into the following, 
of (fix R) (arr T1 T2) 

pi f\ pi x\ of f (arr T1 T2) => of x T1 => of (R f x) T2. 

Note how the required freshness constraint is realized in this clause: the universal 
quantifiers over f and x introduce new names and the application (R f x) replaces 
the bound variables with these names to generate the new typing judgment that 
must be derived. For the target language, the main interesting rule is for typing 
the application of closures. The following clause encodes this rule, 
of’ (open’ M R) T of’ M (arr T1 T2), 

pi f\pi e\ pi 1\ of’ f (arr’ (prod (arr T1 T2) (prod T1 1)) T2) => 
of’ e 1 ^ of’ (R f e) T. 

Here again we use universal quantifiers in goals to encode the freshness constraint. 
Note also how the universal quantifier over the variable 1 captures the opaqueness 
quality of the type of the environment of the closure involved in the construct. 

We encode the one step evaluation rules for the source and target languages 
using the predicates step and step’. We again consider only a few interesting 
cases in their definition. Assuming that val and val ’ recognize values in the 
source and target languages, the clauses for evaluating the application of a fixed 
point and a closure are the following. 

step (app (fix R) V) (R (fix R) V) val V. 

step’ (open’ (clos’ F E) R) (R F E) val’ (clos’ F E). 

Note here how application in the meta-language realizes substitution. 

We use the predicates nstep (which relates a natural number and two terms) 
and eval to represent the n-step and full evaluation relations for the source 
language, respectively. These predicates have obvious definitions. The predicates 
nstep’ and eval’ play a similar role for the target language. 


Specifying closure conversion. To define closure conversion in AProlog, we 
need a representation of mappings for source language variables. We use the 
type map and the constant map : tm —> tm ’ —^ map to represent the mapping 
for a single variablej^We use the type map_list for lists of such mappings, the 
constructors nil and : : for constructing such lists and the predicate member for 
checking membership in them. We also need to represent lists of source and target 
language terms. We will use the types tm_list and tm’_list for these and for 


^ This mapping is different from the one considered in Section 
source language variable to a target language term. 


2.3 


in that it is from a 
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simplicity of discussion, we will overload the list constructors and predicates at 
these types. Polymorphic typing in AProlog supports such overloading but this 
feature has not yet been implemented in Abella; we overcome this difficulty in 
the actual development by using different type and constant names for each case. 

The crux in formalizing the definition of closure conversion is capturing the 
content of the cc-fix rule. A key part of this rule is identifying the free variables in 
a given source language term. We realize the requirement by defining a predicate 
fvars that is such that if (fvars M LI L2) holds then LI is a list that includes 
all the free variables of M and L2 is another list that contains only the free 
variables of M. We show a few critical clauses in the definition of this predicate, 
omitting ones whose structure is easy predict. 

fvars X _ nil notfree X. 

fvars Y Vs (Y :: nil) member Y Vs. 

fvars (nat _) _ nil. 

fvars (plus Ml M2) Vs FVs 

fvars Ml Vs FVsl, fvars M2 Vs FVs2, combine FVsl FVs2 FVs. 

fvars (let M R) Vs FVs fvars M Vs FVsl, 

(pi x\ notfree x => fvars (R x) Vs FVs2) , combine FVsl FVs2 FVs. 
fvars (fix R) Vs FVs 

pi f\ pi x\ notfree f => notfree x => fvars (R f x) Vs FVs. 

The predicate combine used in these clauses is one that holds between three lists 
when the last is a combination of the elements of the first two. The essence of the 
definition of fvars is in the treatment of binding constructs. Viewed operationally, 
the body of such a construct is descended into after instantiating the binder with 
a new variable marked notfree. Thus, the variables that are marked in this way 
correspond to exactly those that are explicitly bound in the term and only those 
that are not so marked are collected through the second clause. It is important 
also to note that the specification of fvars has a completely logical structure; 
this fact can be exploited during verification. 

The cc-fix rule requires us to construct an environment representing the 
mappings for the variables found by fvars. The predicate mapenv specified by 
the following clauses provides this functionality, 
mapenv nil _ unit. 

mapenv (X::L) Map (pair’ M ML) member (map X M) Map, mapenv L Map ML. 

The cc-fix rule also requires us to create a new mapping from the variable list 
to projections from an environment variable. Representing the list of projection 
mappings as a function from the environment variable, this relation is given by 
the predicate mapvar that is defined by the following clauses, 
mapvar nil (e\ nil). 

mapvar (X::L) (e\ (map X (fsf e))::(Map (snd’ e))) :- mapvar L Map. 

We can now specify the closure conversion transformation. We provide clauses 
below that define the predicate cc such that (cc Map Vs M M’) holds if M’ is 
a transformed version of M under the mapping Map for the variables in Vs; we 
assume that Vs contains all the free variables of M. 
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cc _ _ (nat N) (naf N) . 
cc Map Vs X M : - member (map X M) Map. 
cc Map Vs (pred M) (pred’ M’) cc Map Vs M M’. 
cc Map Vs (plus Ml M2) (plus’ Ml’ M2’) 
cc Map Vs Ml Ml’, cc Map Vs M2 M2’, 
cc Map Vs (ifz M Ml M2) (ifz’ M’ Ml’ M2’) 

cc Map Vs M M’, cc Map Vs Ml Ml’, cc Map Vs M2 M2’, 
cc Map Vs unit unit’. 

cc Map Vs (pair Ml M2) (pair’ Ml’ M2’) 

cc Map Vs Ml Ml’, cc Map Vs M2 M2’, 

cc Map Vs (fst M) (fsf M’) : - cc Map Vs MM’, 

cc Map Vs (snd M) (snd’ M’) : - cc Map Vs MM’, 

cc Map Vs (let M R) (let’ M’ R’) cc Map Vs M M’, 

pi x\ pi y\ cc ((map x y) :: Map) (x :: Vs) (R x) (R’ y). 
cc Map Vs (fix R) (clos’ (abs’ (p\ let’ (fsf p) (g\ 
let’ (fsf (snd’ p)) (y\ 

let’ (snd’ (snd’ p)) (e\ R’ g y e))))) E) 
fvars (fix R) Vs FVs, mapenv FVs Map E, mapvar FVs NMap, 
pi f\ pi x\ pi g\ pi y\ pi e\ 

cc ((map X y)::(map f g)::(NMap e)) (x::f::FVs) (R f x) (R’ g y e). 
cc Map Vs (app’ Ml M2) 

(let’ Ml’ (g\ open’ g (f\e\ app’ f (pair’ g (pair’ M2’ e))))) 
cc Map Vs Ml Ml’, cc Map Vs M2 M2’. 

These clauses correspond very closely to the rules in Figure Note especially 
the clause for transforming an expression of the form (fix R) that encodes the 
content of the cc-fix rule. In the body of this clause, fvars is used to identify 
the free variables of the expression, and mapenv and mapvar are used to create 
the reified environment and the new mapping. In both this clause and in the 
one for transforming a let expression, the A-tree representation, universal goals 
and (meta-language) applications are used to encode freshness and renaming 
requirements related to bound variables in a concise and logically precise way. 

3.3 Implementing other transformations 

We have used the ideas discussed in the preceding subsections in realizing other 
transformations such as code hoisting and conversion to continuation-passing 
style (CPS). These transformations are part of a tool-kit used by compilers for 
functional languages to convert programs into a form from which compilation 
may proceed in a manner similar to that for conventional languages like C. 

Our implementation of the CPS transformation is based on the one-pass 
version described by Danvy and Filinski [T3] that identifies and eliminates the 
so-called administrative redexes on-the-fly. This transformation can be encoded 
concisely and elegantly in AProlog by using meta-level redexes for administrative 
redexes. The implementation is straightforward and similar ones that use the 
HOAS approach have already been described in the literature; e.g. see m- 
Our implementation of code hoisting is more interesting; it benehts in an 
essential way once again from the ability to analyze binding structure. The code 
hoisting transformation lifts nested functions that are closed out into a flat space 
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at the top level in the program. This transformation can be realized as a recursive 
procedure: given a function (Ax.M), the procedure is applied to the subterms 
of M and the extracted functions are then moved out of {Xx.M). Of course, for 
this movement to be possible, it must be the case that the variable x does not 
appear in the functions that are candidates for extraction. This “dependency 
checking” is easy to encode in a logical way within our framework. 

To provide more insight into our implementation of code-hoisting, let us 
assume that it is applied after closure conversion and that its source and target 
languages are both the language shown in Figure Applying code hoisting to 
any term will result in a term of the form 

let /i = Ml in ... let /„ = M„ in M 

where, for 1 < i < n, Mi corresponds to an extracted function. We will write this 
term below as (letf / = M in M) where / = (/i,..., /„) and, correspondingly, 
M = (Mi,...,M„). 

We write the judgment of code hoisting as {p> M -^ch M') where p has the 
form (xi,..., Xn)- This judgment asserts that M' is the result of extracting all 
functions in M to the top level, assuming that p contains all the bound variables 
in the context in which M appears. The relation is defined by recursion on the 
structure of M. The main rule that deserves discussion is that for transforming 
functions. This rule is the following: 

p,x> M -^ch letf f = F in M' 

p>Xx.M -^ch letf {f,g) = {F, Xf.Xx.letf / = (7ri(/),... ,7r„(/)) in M') in g f 

We assume here that / = (/i,..., /„) and, by an abuse of notation, we let 
{g f) denote {g (/i,..., /„)). This rule has a side condition: x must not occur in 
F. Intuitively, the term (Ax.M), is transformed by extracting the functions from 
within M and then moving them further out of the scope of x. Note that this 
transformation succeeds only if none of the extracted functions depend on x. The 
resulting function is then itself extracted. In order to do this, it must be made 
independent of the (previously) extracted functions, something that is achieved 
by a suitable abstraction; the expression itself becomes an application to a tuple 
of functions in an appropriate let environment. 

It is convenient to use a special representation for the result of code hoisting in 
specifying it in AProlog. Towards this end, we introduce the following constants: 

hbase : tm’ —>■ tm’ 

habs : (tm’ —>■ tm’) —> tm’ 

htm : tm’_list —> tm’ —>■ tm’ 

Using these constants, the term (letf (/i,..., /„) = (Mi,..., M„) in M) that 
results from code hoisting will be represented by 

htm (Ml :: ... :: Mn :: nil) (habs (fl\ ... (habs (fn\ hbase M)))). 

We use the predicate ch : tm’ —>■ tm’ —>■ o to represent the code hoisting 
judgment. The context p in the judgment will be encoded implicitly through 
dynamically added program clauses that specify the translation of each variable 
X as (htm nil (hbase x)). In this context, the rule for transforming functions, 
the main rule of interest, is encoded in the following clause: 
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ch (abs’ M) M” 

(pi x\ ch X (htm nil (hbase x)) => ch (M x) (htm FE (M’ x))), 

extract FE M’ M’’. 

As in previous specifications, a universal and a hypothetical goal are used in 
this clause to realize recursion over binding structure. Note also the completely 
logical encoding of the requirement that the function argument must not occur 
in the nested functions extracted from its body: quantifier ordering ensures that 
FE cannot be instantiated by a term that contains x free in it. We have used 
the predicate extract to build the hnal result of the transformation from the 
transformed form of the function body and the nested functions extracted from 
it; the definition of this predicate is easy to construct and is not provided here. 

4 Verifying Transformations on Functional Programs 

We now consider the verification of AProlog implementations of transformations 
on functional programs. We exploit the two-level logic approach in this process, 
treating AProlog programs as HOHH specifications and reasoning about them 
using Abella. Our discussions below will show how we can use the A-tree syntax 
approach and the logical nature of our specifications to benefit in the reasoning 
process. Another aspect that they will bring out is the virtues of the close 
correspondence between rule based presentations and HOHH specifications: this 
correspondence allows the structure of informal proofs over inference rule style 
descriptions to be mimicked in a formalization within our framework. 

We use the closure conversion transformation as our main example in this 
exposition. The first two subsections below present, respectively, an informal proof 
of its correctness and its rendition in Abella. We then discuss the application of 
these ideas to other transformations. Our proofs are based on logical relation style 
definitions of program equivalence. Other forms of semantics preservation have 
also been considered in the literature. Our framework can be used to advantage in 
formalizing these approaches as well, an aspect we discuss in the last subsection. 

4.1 Informal verification of closure conversion 

To prove the correctness of closure conversion, we need a notion of equivalence 
between the source and target programs. Following [55], we use a logical relation 
style definition for this purpose. A complication is that our source language 
includes recursion. To overcome this problem, we use the idea of step indexing m- 
Specifically, we define the following mutually recursive simulation relation ~ 
between closed source and target terms and equivalence relation « between closed 
source and target values, each indexed by a type and a step measure. 

M ~T;fc M' Vj < fc.VH.M ^jV D 3V'.M' ^V' AV V; 

U U; () ~unit;fc (); 

(Hi, 14) ~(TixT,);fc (H/, 14') ^ Vi Vi' A 14 ~T,;k 14'; 

(fix fx.M) (H', He) Vj < fc.VHl, H/, H2, Hj'. 

Hi Hi' 3 H2 H^' D M [H2//, Hi/s:] V (Hj', H/, He). 
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Note that the definition of « in the fixed point/closure case uses « negatively 
at the same type. However, it is still a well-defined notion because the index 
decreases. The cumulative notion of equivalence, written M M', corresponds 
to two expressions being equivalent under any index. 

Analyzing the simulation relation and using the evaluation rules, we can show 
the following “compatibility” lemma for various constructs in the source language. 

Lemma 1 1. If M M' then pred M ~N;fc pred M'. If also N N' 

then M -\- N M' + N'. 

2. If M ~TixT 2 ;fe M' then fst M fst M' and snd M ~T 2 ;fc snd M'. 

3. IfM^T^-k M' and N N' then (M, Af) ~TixT 2 ;fc {M',N'). 

f. If M ~N;fc M', Ml ^T;k M'l and M 2 '^T\k M 2 , then 

if M then Mi else M 2 if M' then M[ else M 2 . 

5. If Ml ~Ti->T 2 ;/c and M 2 ‘^Ti;k M 2 then 

Ml M 2 ^Tr,k let g = M[ in open {xf,Xe) = ginxf {g,M 2 ,Xe). 

The proof of the last of these properties requires us to consider the evaluation of 
the application of a fixed point expression which involves “feeding” the expression 
to its own body. In working out the details, we use the easily observed property 
that the simulation and equivalence relations are closed under decreasing indices. 

Our notion of equivalence only relates closed terms. However, our transfor¬ 
mation typically operates on open terms, albeit under mappings for the free 
variables. To handle this situation, we consider semantics preservation for possi¬ 
bly open terms under closed substitutions. We will take substitutions in both 
the source and target settings to be simultaneous mappings of closed values 
for a finite collection of variables, written as {Vi/xi ,..., Vnjxrf). In defining a 
correspondence between source and target language substitutions, we need to 
consider the possibility that a collection of free variables in the first may be 
reified into an environment variable in the second. This motivates the following 
definition in which 7 represents a source language substitution: 

7 «2^„:T„,...,a:i:Ti;fc (Hi, . . . , Vm) <5=^ VI < 1 < m.'y(Xi) Vi- 

Writing 71 ; 72 for the concatenation of two substitutions viewed as lists, equiva¬ 
lence between substitutions is then defined as follows: 

(Vi/xi,... ,H„/a ;„);7 {Vl/yi ,..., Ve/x^) 

(VI < i < n.Vi ~Ti;k Vi) A 7 «r;fe 14. 

Note that both relations are indexed by a source language typing context and 
a step measure. The second relation allows the substitutions to be for different 
variables in the source and target languages. A relevant mapping will determine 
a correspondence between these variables when we use the relation. 

We write the application of a substitution 7 to a term M as ^[ 7 ]. The first 
part of the following lemma, proved by an easy use of the definitions of « and 
evaluation, provides the basis for justifying the treatment of free variables via 
their transformation into projections over environment variables introduced at 
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function boundaries in the closure conversion transformation. The second part of 
the lemma is a corollary of the first part that relates a source substitution and 
an environment computed during the closure conversion of fixed points. 

Lemma 2 Let 5 = iy^j Xi-, ■ ■ ■-.V^l and S' = {Vl/yi,..., V^y^y^jx^) be 
source and target language substitutions and let F = {x'^ : ... ,x'i :T{,Xn : 

Tn,... ,Xi : Ti) be a source language typing context such that S ^r-,k S'. Further, 
let p= {xil->- yi,...,Xn'-)- yn.x'i !-)■ TTi{Xe), . . . , TTmiXe))- 

F If X : T G F then there exists a value V such that (p(x))[(5'] ^ V' and 
S(x) «T;fc V'. 

2. If F' = {zi : Tz-i,... ,Zj : Tz -) for F' C F and p\> {zi,..., Zj) M, then 

there exists Vf such that M[S'] ^ Vf and S ~r'-k Vf. 

The proof of semantics preservation also requires a result about the preservation of 
typing. It takes a little effort to ensure that this property holds at the point in the 
transformation where we cross a function boundary. That effort is encapsulated 
in the following strengthening lemma in the present setting. 

Lemma 3 If F V~ M :T, {xi ,..., x„} 3 fvars(M) and Xi : G F for 1 < i < 
n, then Xn : T„,..., xi : Ti h M : T. 

The correctness theorem can now be stated as follows: 


Theorem 4 Let 5 = (Fi/xi,..., 7 and S' = {Vl/yi,..., Vffy„,Velxe) 

be source and target language substitutions and let F = (a;^ : Tf,,... ,x'i : T[,Xn ■ 
Tn, ■ ■. ,xi : Ti) be a source language typing context such that S «r;fc S'. Further, 
let p = (xi 2 / 1 ,... ,a;„ yn,x'^ ^ T^i{xe), ■ ■ ■ .a:'™ iTmixe))- If F \- M :T 
and p> M M', then M[S\ '-^T-k M'[S']. 


We outline the main steps in the argument for this theorem: these will guide 
the development of a formal proof in Section 4.2 We proceed by induction on 
the derivation of p > M -w M', analyzing the last step in it. This obviously 
depends on the structure of M. The case for a number is obvious and for a 
variable we use Lemma [^1. In the remaining cases, other than when M is of the 
form (let x = Mi in M 2 ) or (fix fx.Mi), the argument follows a set pattern: 
we observe that substitutions distribute to the sub-components of expressions, 
we invoke the induction hypothesis over the sub-components and then we use 
Lemmato conclude. If M is of the form (let x = Mi in M 2 ), then M' must be 
of the form (let y = M( in M^). Here again the substitutions distribute to Mi 
and M 2 and to M( and M^, respectively. We then apply the induction hypothesis 
first to Ml and M( and then to M 2 and M^; in the latter case, we need to consider 
extended substitutions but these obviously remain equivalent. Finally, if M is of 
the form (fix f x.Mi), then M' must have the form {M'i,M'f). We can prove that 
the abstraction M{ is closed and therefore that M'[cr'] = (M{, M 2 [(j']). We then 
apply the induction hypothesis. In order to do so, we generate the appropriate 
typing judgment using Lemmaand a new pair of equivalent substitutions (under 
a suitable step index) using Lemma [ 2 | 2 . 
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4.2 Formal verification of the implementation of closure conversion 

In the subsections below, we present a sequence of preparatory steps, leading 
eventually to a formal version of the correctness theorem. 

Auxiliary predicates used in the formalization. We use the techniques 
of Section to define some predicates related to the encodings of source and 
target language types and terms that are needed in the main development; unless 
explicitly mentioned, these definitions are in Q. First, we define the predicates 
ctx and ctx’ to identify typing contexts for the source and target languages. 
Next, we define in HOHH the recognizers tm and tm’ of well-formed source and 
target language terms. A source (target) term M is closed if {tm M} ({tm’ M}) is 
derivable. The predicate is_sty recognizes source types. Finally, vars_of _ctx is 
a predicate such that (vars_of _ctx L Vs) holds if L is a source language typing 
context and Vs is the list of variables it pertains to. 

Step indexing uses ordering on natural numbers. We represent natural num¬ 
bers using z for 0 and s for the successor constructor. The predicate is_nat 
recognizes natural numbers. The predicates It and le, whose definitions are 
routine, represent the “less than” and the “less than or equal to” relations. 

The simulation and equivalence relations. The following clauses define the 
simulation and equivalence relations. 

Sim T K M M’ A VJ V, le J K {nstep J M V} {val V} 

3V’ N, {eval’ M’ V’} A {add J N K> A equiv T N V V’; 
equiv tnat K (nat N) (nat’ N); 
equiv tunit K unit unit’; 

equiv (prod T1 T2) K (pair VI V2) (pair’ VI’ V2’) A 
equiv T1 K VI VI ’ A equiv T2 K V2 V2’ A 
{tm Vl> A {tm V2> A {tm’ Vl’> A {tm’ V2’}; 
equiv (arr T1 T2) z (fix R) (clos’ (abs’ R’) VE) = 

{val’ VEI A {tm (fix R))- A {tm’ (clos’ (abs’ R’) VE)!; 
equiv (arr T1 T2) (s K) (fix R) (clos’ (abs’ R’) VE) = 
equiv (arr T1 T2) K (fix R) (clos’ (abs’ R’) VE) A 
VVl VI’ V2 V2’, equiv T1 K VI VI’ equiv (arr T1 T2) K V2 V2’ -A 
Sim T2 K (R V2 VI) (R’ (pair’ V2’ (pair’ VI’ VE))). 

The formula (sim T K M M’) is intended to mean that M simulates M’ at type T 
in K steps; (equiv T K V V’) has a similar interpretation. Note the exploitation 
of A-tree syntax, specifically the use of application, to realize substitution in 
the definition of equiv. It is easily shown that sim holds only between closed 
source and target terms and similarly equiv holds only between closed source 
and target values]^ 

Compatibility lemmas in the style of Lemmaare easily stated for sim. For 
example, the one for pairs is the following. 

^ The definition of equiv uses itself negatively in the last clause and thereby violates the 
original stratification condition of Q. However, Abella permits this definition nnder 
a weaker stratification condition that ensures consistency provided the definition is 
used in restricted ways [338], a requirement that is adhered to in this paper. 
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VTl T2 K Ml M2 Ml’ M2’, {is_nat K> -i> {is_sty Tl}- -i> {is_sty T2} 

Sim Tl K Ml Ml’ sim T2 K M2 M2’ 

Sim (prod Tl T2) K (pair Ml M2) (pair’ Ml’ M2’). 

These lemmas have straightforward proofs. 

Representing substitutions. We treat substitutions as discussed in Section 
For example, source substitutions satisfy the following definition. 

subst nil; 

subst ((map X V) : :ML) = subst ML A name X A {val Vf A {tm V} A 
VV’, member (map X V’) ML -A V’ = V. 

By definition, these substitutions map variables to closed values. To accord with 
the way closure conversion is formalized, we allow multiple mappings for a given 
variable, but we require all of them to be to the same value. The application of a 
source substitution is also defined as discussed in Section [2l 

app_subst nil M M; 

Vx,app_subst ((map x V) : : (ML x)) (R x) M = Vx,app_subst (ML x) (R V) M. 

As before, we can easily prove properties about substitution application based on 
this definition such as that such an application distributes over term structure 
and that closed terms are not affected by substitution. 

The predicates subst ’ and app_subst ’ encode target substitutions and their 
application. Their formalization is similar to that above. 

The equivalence relation on substitutions. We first define the relation 
subst_env_equiv between source substitutions and target environments: 

subst_env_equiv nil K ML unit’; 

subst_env_equiv ((of X T)::L) K ML (pair’ V’ VE) = 

3V,subst_env_equiv L K ML VE A member (map X V) ML A equiv T K V V’. 

Using subst_env_equiv, the needed relation between source and target substi¬ 
tutions is defined as follows. 

Ve, subst_equiv L K ML ((map e VE)::nil) A subst_env_equiv L K ML VE; 
Vx y, subst_equiv ((of x T)::L) K ((map x V)::ML) ((map y V’)::ML’) = 
equiv T K V V’ A subst_equiv L K ML ML’. 


Lemmas abont fvars, mapvar and mapenv. Lemma [^translates into a lemma 
about fvars in the implementation. To state it, we define a strengthening relation 
between source typing contexts: 

prune_ctx nil L nil; 

prune_ctx (X::Vs)L((ofXT)::L’) = member (of X T) L A prune_ctx Vs L L’ . 

(prune_ctx Vs L L’) holds if L’ is a typing context that “strengthens” L to 
contain type assignments only for the variables in Vs. The lemma about fvars 
is then the following. 
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VL Vs M T FVs, ctx L —> vars_of_ctx L Vs —>■ {L h of M T} 

{fvars M Vs FVs} —> 3L’, prune_ctx FVs L L’ A fL’ h of M T}. 

To prove this theorem, we generalize it so that the HOHH derivation of (fvars 
M Vs FVs) is relativized to a context that marks some variables as not free. The 
resulting generalization is proved by induction on the fvars derivation. 

A formalization of Lemma [21 is also needed for the main theorem. We start 
with a lemma about mapvar. 

VL Vs Map ML K VE X T M’ V, Ve. {is_nat K} ctx L -A subst ML -A 
subst_env_equiv L K ML VE —)■ vars_of_ctx L Vs —)■ {mapvar Vs Map} -A 
member (of X T) L —app_subst ML X V —{member (map X (M’ e)) (Map e)} 
-i>3V’, {eval’ (M’ VE) V’} A equiv T K V V’. 

In words, this lemma states the following. If L is a source typing context for 
the variables (a;i,..., x„), ML is a source substitution and VE is an environment 
equivalent to ML at L, then mapvar determines a mapping for (xi ,... ,Xn) that are 
projections over an environment with the following character: if the environment 
is taken to be VE, then, for 1 < i < n, Xi is mapped to a projection that must 
evaluate to a value equivalent to the substitution for Xi in ML. The lemma is 
proved by induction on the derivation of {mapvar Vs Map}. 

Lemma HI is now formalized as follows. 

VL ML ML’ K Vs Vs’ Map, {is_nat K} -A ctx L -A subst ML —>■ 
subst’ ML’ —> subst_equiv L K ML ML’ —> vars_of_ctx L Vs —A 
vars_of _subst ’ ML’ Vs’ -A to_mapping Vs Vs’ Map -A 
(V X T V M’ M’’, member (of X T) L —A {member (map X M’) Map} —A 
app_subst ML X V —Aapp_subst’ ML’ M’ M’’ —A 
3V’. {eval’ M” V’} A equiv T K V V’) A 
(V L’ NFVs E E’, prune_ctx NFVs L L’ -A 
{mapenv NFVs Map E} —A app_subst’ ML’ E E’ ^ 

3VE’, {eval’ E’ VE’} A subst_env_equiv L’ K ML VE’). 

Two new predicates are used here. The judgment (vars_of_subst ’ ML’ Vs’) 
“collects” the variables in the target substitution ML’ into Vs’. Given source vari¬ 
ables Vs = (xi,... ... ,a:^) and target variables Vs’ = (j/i,..., j/„,Xe), 

the predicate to_mapping creates in Map the mapping 

(xi i-A yi, ... ,a:„ i-A y„,x[ i-A 7 ri(xe), ... ,x^ i-A 7rm(xe)). 

The conclusion of the lemma is a conjunction representing the two parts of 
LemmaThe first part is proved by induction on {member (map X M’) Map}, 
using the lemma for mapvar when X is some x'(l < * < m). The second part is 
proved by induction on {mapenv NFVs Map E} using the first part. 

The main theorem. The semantics preservation theorem is stated as follows: 

VL ML ML’ K Vs Vs’ Map T P P’ MM’. {is_nat K} -A ctx L -A subst ML -A 
subst’ ML’ —A subst_equiv L K ML ML’ —A vars_of_ctx L Vs —A 
vars_of _subst ’ ML’ Vs’ -A to_mapping Vs Vs’ Map —A {L h of M T} —A 
{cc Map Vs M M’} -A app_subst ML M P — A app_subst ’ ML’ M’ P’ —A sim T K P P ’ . 
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We use an induction on {cc Map Vs M M’}, the closure conversion derivation, to 
prove this theorem. As should be evident from the preceding development, the 
proof in fact closely follows the structure we outlined in Section [4A] 

4.3 Verifying the implementations of other transformations 

We have used the ideas presented in this section to develop semantics preservation 
proofs for other transformations such as code hoisting and the CPS transformation. 
We discuss the case for code hoisting below. 

The first step is to define the step-indexed logical relations and that 
respectively represent the simulation and equivalence relation between the input 
and output terms and values for code hoisting: 

M M' ^ Vj < fc.VP.M V 3 BV'.M' ^ V'A V V'; 

n n; 

() ^unit;fc ()i 

(VuV2) ^TiXT,);fe (Vf'Wa) ^ Cl ~T,;k P/ A P 2 ^2 ; 

(Xx.M) ~'T,^T 2 ;k {Xx.M') ^ Vj < k.\/V,V'.V V' D M[V/x] M'lV'/x]-, 
(Ap.M,V) ^T,^Tr,k (Xp.M'X) ^ Vj < k.VV,,v;,V2,Vl 

Pi Pi' 3 P 2 P 2 3 M [(P 2 , Pi, Pe )/p] X;j M'[(P 2 ', P/. Pe )/p] ■ 

We can show that satishes a set of compatibility properties similar to Lemma 
We next define a step-indexed relation of equivalence between two substitu¬ 
tions <5 = (Pi/xi,..., Vral^m) and i5' = (P//a;i,..., V^lxm) relative to a typing 
context r = {xm '■ X, ■ ■. ,xi : Ti): 

S X;k 5' ^ VI < i < m.Vi X;k Vi 

The semantics preservation theorem for code hoisting is stated as follows: 

Theorem 5 Let 6 = (Pi/xi,..., Vm/Xm) and S' = (V{lxi, ..., Vi/Xm) be sub¬ 
stitutions for the language described in Figure^ Let F = {xm '■ Tm, ..., xi : Ti) be 
a typing context such that 6 S'. Further, let p = (xi,..., Xm)- If F \- M : T 
and pt> M M' hold, then M[S] M'[S'] holds. 

The theorem is proved by induction on the derivation for pt>M -^ch LI'. The base 
cases follow easily, possibly using the fact that S S'. For the inductive cases, 

we observe that substitutions distribute to the sub-components of expressions, 
we invoke the induction hypothesis over the sub-components and we use the 
compatibility property of In the case of an abstraction, <5 and S' must be 
extended to include a substitution for the bound variable. For this case to work 
out, we must show that the additional substitution for the bound variable has 
no impact on the functions extracted by code hoisting. From the side condition 
for the rule deriving p> M -^ch M' in this case, the extracted functions cannot 
depend on the bound variable and hence the desired observation follows. 

In the formalization of this proof, we use the predicate constants sim’ and 
equiv’ to respectively represent and The Abella definitions of these pred¬ 
icates have by now a familiar structure. We also define a constant subst_equiv’ 
to represent the equivalence of substitutions as follows: 
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subst_equiv’ nil K nil nil; 

Vx, subst_equiv’ ((of’ x T)::L) K ((map’ x V)::ML) ((map’ x V’)::ML’) 

= equiv’ T K V V’ A subst_equiv’ L K ML ML’. 

The representation of contexts in the code hoisting judgment in the HOHH 
specification is captured by the predicate ch_ctx that is defined as follows: 

ch_ctx nil; 

Vx, ch_ctx (ch x (htm nil (hbase x)) :: L) = ch_ctx L. 

The semantics preservation theorem is stated as follows, where vars_of_ctx’ is 
a predicate for collecting variables in the typing contexts for the target language, 
vars_of _ch_ctx is a predicate such that (vars_of _ch_ctx L Vs) holds if L is 
a context for code hoisting and Vs is the list of variables it pertains to: 

VL K CL ML ML’ M M’ T FE FE’ P P’ Vs, {is_nat K} ctx’ L 
ch_ctx CL —)■ vars_of_ctx’ L Vs —)■ vars_of_ch_ctx CL Vs —>■ 
subst ’ ML —>■ subst ’ ML’ —>■ subst_equiv’ L K ML ML’ —>■ 

{L h of ’ M T} ^ {CL h ch M (htm FE M’)} app_subst’ ML M P 

app_subst’ ML’ (htm FE M’) (htm FE’ P’) sim’ T K P (htm FE’ P’). 

The proof is by induction on {CL h ch M (htm FE M’)} and its structure follows 
that of the informal one very closely. The fact that the extracted functions do not 
depend on the bound variable of an abstraction is actually explicit in the logical 
formulation and this leads to an exceedingly simple argument for this case. 

4.4 Relevance to other styles of correctness proofs 

Many compiler verification projects, such as CompCert |2T] and CakeML [20], 
have focused primarily on verifying whole programs that produce values of atomic 
types. In this setting, the main requirement is to show that the source and target 
programs evaluate to the same atomic values. Structuring a proof around program 
equivalence base on a logical relation is one way to do this. Another, sometimes 
simpler, approach is to show that the compiler transformations permute over 
evaluation; this method works because transformations typically preserve values 
at atomic types. Although we do not present this here, we have examined proofs 
of this kind and have observed many of the same kinds of benefits to the A-tree 
syntax approach in their context as well. 

Programs are often built by composing separately compiled modules of code. 
In this context it is desirable that the composition of correctly compiled modules 
preserve correctness; this property applied to compiler verification has been called 
modularity. Logical relations pay attention to equivalence at function types and 
hence proofs based on them possess the modularity property. Another property 
that is desirable for correctness proofs is transitivity: we should be able to infer 
the correctness of a multi-stage compiler from the correctness of each of its stages. 
This property holds when we use logical relations if we restrict attention to 
programs that produce atomic values but cannot be guaranteed if equivalence 
at function types is also important; it is not always possible to decompose the 
natural logical relation between a source and target language into ones between 
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several intermediate languages. Recent work has attempted to generalize the 
logical relations based approach to obtain the benefits of both transitivity and 
modularity [32j . Many of the same issues relating to the treatment of binding and 
substitution appear in this context as well and the work in this paper therefore 
seems to be relevant also to the formalization of proofs that use these ideas. 

Finally, we note that the above comments relate only to the formalization 
of proofs. The underlying transformations remain unchanged and so does the 
significance of our framework to their implementation. 


5 Related Work and Conclusion 

Compiler verification has been an active area for investigation. We focus here on 
the work in this area that has been devoted to compiling functional languages. 
There have been several projects with ambitious scope even in this setting. To take 
some examples, the CakeML project has implemented a compiler from a subset of 
ML to the X86 assembly language and verified it using HOL4 [20]; Dargaye has 
used Coq to verify a compiler from a subset of ML into the intermediate language 
used by CompCert El; Hur and Dreyer have used Coq to develop a verified 
single-pass compiler from a subset of ML to assembly code based on a logical 
relations style definition of program equivalence and Neis et al. have used 
Coq to develop a verified multi-pass compiler called Pilsner, basing their proof on 
a notion of semantics preservation called Parametric Inter-Languages Simulation 
(PILS) |32j. All these projects have used essentially first-order treatments of 
binding, such as those based on a De Bruijn style representation. 

A direct comparison of our work with the projects mentioned above is neither 
feasible nor sensible because of differences in scope and focus. Some comparison 
is possible with a part of the Lambda Tamer project of Chlipala in which he 
describes the verihed implementation in Coq of a compiler for the STLC using 
a logical relation based definition of program equivalence m- This work uses 
a higher-order representation of syntax that does not derive all the benefits of 
A-tree syntax. Chlipala’s implementation of closure conversion comprises about 
400 lines of Coq code, in contrast to about 70 lines of AProlog code that are 
needed in our implementation. Chlipala’s proof of correctness comprises about 
270 lines but it benefits significantly from the automation framework that was 
the focus of the Lambda Tamer project; that framework is built on top of the 
already existing Coq libraries and consists of about 1900 lines of code. The 
Abella proof script runs about 1600 lines. We note that Abella has virtually no 
automation and the current absence of polymorphism leads to some redundancy 
in the proof. We also note that, in contrast to Chlipala’s work, our development 
treats a version of the STLC that includes recursion. This necessitates the use of 
a step-indexed logical relation which makes the overall proof more complex. 

Other frameworks have been proposed in the literature that facilitate the use 
of HOAS in implementing and verifying compiler transformations. Hickey and 
Nogin describe a framework for effecting compiler transformations via rewrite 
rules that operate on a higher-order representation of programs m- However, 
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their framework is embedded within a functional language. As a result, they 
are not able to support an analysis of binding structure, an ability that brings 
considerable benefit as we have highlighted in this paper. Moreover, this framework 
offers no capabilities for verification. Hannan and Pfenning have discussed using 
a system called Twelf that is based on LF in specifying and verifying compilers; 
see, for example, [TS] and [33] for some applications of this framework. The way 
in which logical properties can be expressed in Twelf is restricted; in particular, 
it is not easy to encode a logical relation-style definition within it. The Beluga 
system |34| . which implements a functional programming language based on 
contextual modal type theory [31] . overcomes some of the shortcomings of Twelf. 
Rich properties of programs can be embedded in types in Beluga, and Belanger 
et al. show how this feature can be exploited to ensure type preservation for 
closure conversion [7]. Properties based on logical relations can also be described 
in Beluga nnj. It remains to be seen if semantics preservation proofs of the kind 
discussed in this paper can be carried out in the Beluga system. 

While the framework comprising AProlog and Abella has significant benefits in 
the verified implementation of compiler transformations for functional languages, 
its current realization has some practical limitations that lead to a larger proof 
development effort than seems necessary. One such limitation is the absence of 
polymorphism in the Abella implementation. A consequence of this is that the 
same proofs have sometimes to be repeated at different types. This situation 
appears to be one that can be alleviated by allowing the user to parameterize 
proofs by types and we are currently investigating this matter. A second limitation 
arises from the emphasis on explicit proofs in the theorem-proving setup. The 
effect of this requirement is especially felt with respect to lemmas about contexts 
that arise routinely in the A-tree syntax approach: such lemmas have fairly 
obvious proofs but, currently, the user must provide them to complete the overall 
verification task. In the Twelf and Beluga systems, such lemmas are obviated by 
absorbing them into the meta-theoretic framework. There are reasons related to 
the validation of verification that lead us to prefer explicit proofs. However, as 
shown in [Bj, it is often possible to generate these proofs automatically, thereby 
allowing the user to focus on the less obvious aspects. In ongoing work, we are 
exploring the impact of using such ideas on reducing the overall proof effort. 
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